[Desktop-packages] [Bug 1917362] Re: PAM: smartcard owner isn't associated to user by default

Fri, 27 Jan 2023 05:45:27 -0800 

** Also affects: sssd (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: gdm3 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: gdm3 (Ubuntu Focal)
       Status: New => In Progress

** Changed in: sssd (Ubuntu Focal)
       Status: New => In Progress

** Changed in: sssd (Ubuntu Focal)
     Assignee: (unassigned) => Marco Trevisan (Treviño) (3v1n0)

** Changed in: sssd (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: gdm3 (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: gdm3 (Ubuntu Focal)
     Assignee: (unassigned) => Marco Trevisan (Treviño) (3v1n0)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm3 in Ubuntu.
https://bugs.launchpad.net/bugs/1917362

Title:
  PAM: smartcard owner isn't associated to user by default

Status in sssd:
  Fix Released
Status in gdm3 package in Ubuntu:
  Fix Released
Status in sssd package in Ubuntu:
  Fix Released
Status in gdm3 source package in Focal:
  In Progress
Status in sssd source package in Focal:
  In Progress
Status in gdm3 source package in Hirsute:
  Won't Fix
Status in sssd source package in Hirsute:
  Won't Fix

Bug description:
  [ Impact ]

  Smartcard user is not selected automatically when inserting a
  smartcard

  [ Test case ]

  Insert a smartcard that has an user associated to it:
   -> gdm is expected to select the user associated to it and start the 
authentication
      requesting the card PIN, without having to explicitly write the username.

  [ Regression potential ]

  PAM configuration for smartcard changed the order [1] we check the services, 
so:
  - if a /var/run/nologin the user will be denied for accessing the system only
    after that the PIN has been inserted.
  - root may be an allowed user, if associated to a smartcard (even though we 
trust SSSD
    PAM module and configuration explicitly disallows it).

  [1] https://salsa.debian.org/gnome-
  team/gdm/-/compare/90e71bd4...d32be2e5

  ---

  There's a SSSD side of this fix (for the carts with multiple certificates) 
that is part of 2.4.1 and should be handled by 
https://github.com/SSSD/sssd/pull/5401/
   (+ commit https://github.com/SSSD/sssd/commit/4ea1739d09b)

  GDM should instead handle empty users properly both in the PAM config
  and sending the info back to gnome-shell.

To manage notifications about this bug go to:
https://bugs.launchpad.net/sssd/+bug/1917362/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to